,-._,-. Sagan [http://sagan.softwink.com]
\/)"(\/ By Champ Clark III & The Softwink Team: http://www.softwink.com
(_o_) Copyright (C) 2009-2011 Softwink, Inc., et al.
/ \/)
(|| ||)
oo-oo
Softwink, Inc. [https://www.softwink.com] is proud to release
Sagan version 0.1.8 [http://sagan.softwink.com].
What is Sagan?
Sagan is multi-threaded, real-time system- and event-log monitoring software,
but with a twist. Sagan uses a "Snort" like rule set for detecting nefarious
events happening on your network and/or computer systems. If Sagan detects a
"bad thing" happening, it can do a number of things with that information. For
example, Sagan can store the information to a Snort MySQL database for viewing
with utilities like Snorby [http://www.snorby.org], it can send e-mail(s)
about the event to the appropriate personnel, it can store to a Prelude back
end, it can also spawn external utilities, as well as numerous other things.
Sagan can also correlate the events with your Intrusion Detection/Intrusion
Prevention (IDS/IPS) system and basically acts like an SIEM (Security
Information & Log Management) system.
What's new in Sagan?
* Unified2 output. [src/output-plugins/sagan-unified2.c]
This allows Sagan to work in conjunction with programs like Barnyard2
[http://www.securixlive.com/barnyard2/] or Snoge
[http://leonward.wordpress.com/snoge/]. Via Barnyard, Sagan can also access
output formats such as:
- MySQL, PostgreSQL, MS-SQL, Oracle (Which can give you access to Sagan
data alongside your IDS/IPS data using consoles like Snorby
[http://www.snorby.org] or BASE.)
- The Prelude framework
- Sguil
- ..and many more..
* Liblognorm functionality
Liblognorm is a log normalization library that Sagan can use to extract
useful information from logged messages; including, TCP/IP information,
user-names, uid, etc. This library/project was started by Rainer Gerhards of
"Rsyslog" fame and is being designed from the Mitre CEE (Common Event
Expression) standard (not released/complete). For more information, please
see: http://www.liblognorm.com/news/introducing-liblognorm and
http://cee.mitre.org.
* "PLOG" support [src/sagan-plog.c]
This is a syslog based sniffer created from Marcus J. Ranum's "plog"
work. Sagan can spawn a thread that will "sniff" the wire for syslog traffic.
If traffic is seen, it is re-injected into /dev/log for Sagan to analyze
and/or archive. This is handy for environments resistant to changes.
* Many, many bug fixes.....
Other Sagan features:
* Native threaded output support to Snort databases (MySQL/PostgreSQL)
* Native threaded Prelude plug in
* Threaded libesmtp support (SMTP/e-mail triggered events) based on rule
criteria or general Sagan configuration
* Native threaded Logzilla support (MySQL/PostgreSQL)
* 'Snort' like rule set making Sagan compatible with rule management
utilities like oinkmaster and pulled pork
* Sagan can spawn external programs when events get triggered. This way, you
can write your own "plugin" in the language you choose (perl, C, python, ruby,
etc).
For more information, please see: http://sagan.softwink.com
Thank!,
Champ Clark III
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
Attachment:
pgpDgEnUM9UTm.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/